[opensuse-security] Packages from "update" (11.0) unsigned?
Hi, I noticed that for the last 5(?) times I got unsigned packes from the http://download.opensuse.org/updates/11.0 repository. As far as I know, these are security updates - shouldn't they be signed? I update my 11.0 boxes manually, and use apt at first hand. Apt fetches the packages from update channel, but refuses to install them because of the lacking signature. Manual install (rpm -Uvh ...) and installation via zypper does not give any warning... Is the signature-less packaging a new feature? ;-) Or are these packages signed in a way that apt does not recognize? Regards, Werner -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Werner Flamme wrote:
I noticed that for the last 5(?) times I got unsigned packes from the http://download.opensuse.org/updates/11.0 repository. As far as I know, these are security updates - shouldn't they be signed?
Of course. Which ones are not signed? Looking at random samples on our staging server everything looks fine. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Ludwig Nussel [21.01.2009 10:31]:
Werner Flamme wrote:
I noticed that for the last 5(?) times I got unsigned packes from the http://download.opensuse.org/updates/11.0 repository. As far as I know, these are security updates - shouldn't they be signed?
Of course. Which ones are not signed? Looking at random samples on our staging server everything looks fine.
cu Ludwig
Ludwig,
sorry, I was looking at 11.1 update repo, not 11.0.
Apt told me - for example - packages xrdp and autofs were unsigned. Now
I see:
# rpm --checksig autofs_5.0.3-82.28.1_x86%5f64.rpm
autofs_5.0.3-82.28.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK
# rpm --checksig xrdp_0.4.1-16.6.1_x86%5f64.rpm
xrdp_0.4.1-16.6.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK
Hm... what does rpm know that apt doesn't? And why does apt
(apt-0.5.15lorg3.2-123.14) cry about "unsigned", when it is signed?
On a 11.0 box, the checks tell:
# rpm --checksig autofs-5.0.3-82.28.1.x86_64.rpm
autofs-5.0.3-82.28.1.x86_64.rpm: RSA sha1 (MD5) (PGP) md5 NOT OK
(MISSING KEYS: PGP#3dbdc284)
# rpm --checksig xrdp-0.4.1-16.6.1.x86_64.rpm
xrdp-0.4.1-16.6.1.x86_64.rpm: RSA sha1 (MD5) (PGP) md5 NOT OK (MISSING
KEYS: PGP#3dbdc284)
OK, the key may be specific to 11.1. Normally, apt tells me that a
package is signed with an unknown key... This may be the case on the
11.1 box:
# gpg --list-keys --no-default-keyring --keyring
/usr/lib/rpm/gnupg/pubring.gpg 3dbdc284
pub 2048R/3DBDC284 2008-11-07 [verfällt: 2010-11-07]
uid openSUSE Project Signing Key
Hello, Hello, I think there is an error in the URL, an "s" a "update" is too much. http://download.opensuse.org/updates/11.0 => http://download.opensuse.org/update/11.0/ GaLaGaNN -- Club LinuX Nord-Pas de Calais : clx@gaia.anet.fr & clx-manifs@gaia.anet.fr Communauté francophone d'entraide openSUSE et SUSE Linux : http://www.alionet.org GaLaGaNN's Blog : http://galagann.lautre.net -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
GaLaGaNN [21.01.2009 12:50]:
Hello,
Hello,
I think there is an error in the URL, an "s" a "update" is too much.
http://download.opensuse.org/updates/11.0 => http://download.opensuse.org/update/11.0/
You're right, but that was a typo, not the cause :-) - I *got* the files, so the URL I used was correct, only the URL I mailed was false ;-) Regards, Werner -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Werner Flamme [21.01.2009 11:50]:
Apt told me - for example - packages xrdp and autofs were unsigned. Now I see: # rpm --checksig autofs_5.0.3-82.28.1_x86%5f64.rpm autofs_5.0.3-82.28.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK # rpm --checksig xrdp_0.4.1-16.6.1_x86%5f64.rpm xrdp_0.4.1-16.6.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK
Hm... what does rpm know that apt doesn't? And why does apt (apt-0.5.15lorg3.2-123.14) cry about "unsigned", when it is signed?
Now I know: apt does not know "pgp", it looks for "gpg". In /usr/lib64/apt/scripts/gpg-checker.lua I found that apt performs "/bin/rpm --checksig" an parses the output. I see: if string.find(line, "gpg") then break maybe because in 11.0 the packages are signed with gpg, and in 11.1 with gpg? Obviously, I am not the only one who missed the announcement that the signing method changed, since I can't find a newer apt on the build service ;-) On 11.0: rpm --checksig /home/wflamme/down/kernel/kernel-default-2.6.25.20-0.1.x86_64.rpm /home/wflamme/down/kernel/kernel-default-2.6.25.20-0.1.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK On 11.1: rpm --checksig /var/cache/apt/archives/xrdp_0.4.1-16.6.2_x86%5f64.rpm /var/cache/apt/archives/xrdp_0.4.1-16.6.2_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK Both rpms are from the respective "update" repo. I doubled the if-statement in gpg-checker.lua and changed "gpg" to "pgp" in the copy. The next update on 11.1 will show if it helps :-) Think this may result in a bugzilla entry for apt ;-) Regards, Werner -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thu, Jan 22, 2009 at 09:34:46AM +0100, Werner Flamme wrote:
Werner Flamme [21.01.2009 11:50]:
Apt told me - for example - packages xrdp and autofs were unsigned. Now I see: # rpm --checksig autofs_5.0.3-82.28.1_x86%5f64.rpm autofs_5.0.3-82.28.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK # rpm --checksig xrdp_0.4.1-16.6.1_x86%5f64.rpm xrdp_0.4.1-16.6.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK
Hm... what does rpm know that apt doesn't? And why does apt (apt-0.5.15lorg3.2-123.14) cry about "unsigned", when it is signed?
Now I know: apt does not know "pgp", it looks for "gpg".
In /usr/lib64/apt/scripts/gpg-checker.lua I found that apt performs "/bin/rpm --checksig" an parses the output. I see: if string.find(line, "gpg") then break maybe because in 11.0 the packages are signed with gpg, and in 11.1 with gpg? Obviously, I am not the only one who missed the announcement that the signing method changed, since I can't find a newer apt on the build service ;-)
On 11.0: rpm --checksig /home/wflamme/down/kernel/kernel-default-2.6.25.20-0.1.x86_64.rpm /home/wflamme/down/kernel/kernel-default-2.6.25.20-0.1.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK
On 11.1: rpm --checksig /var/cache/apt/archives/xrdp_0.4.1-16.6.2_x86%5f64.rpm /var/cache/apt/archives/xrdp_0.4.1-16.6.2_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK
Both rpms are from the respective "update" repo. I doubled the if-statement in gpg-checker.lua and changed "gpg" to "pgp" in the copy. The next update on 11.1 will show if it helps :-)
Think this may result in a bugzilla entry for apt ;-)
We changed the signature method to allow other digest algorithms, thats why this changed. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
GaLaGaNN -
Ludwig Nussel -
Marcus Meissner -
Werner Flamme